From f37e83926753d8e5e8820a414fcd75d013a0248b Mon Sep 17 00:00:00 2001 From: Ibrahim Mkusa Date: Sat, 31 May 2025 21:22:33 -0400 Subject: [PATCH] cert-manager upgrade v1.16.1 --> v1.17.2 --- manifests/cert-manager/cert-manager.yaml | 147 +++++++++++++---------- manifests/ingress-nginx/deploy.yaml | 2 + 2 files changed, 87 insertions(+), 62 deletions(-) diff --git a/manifests/cert-manager/cert-manager.yaml b/manifests/cert-manager/cert-manager.yaml index 3dae2b5..9eef0c9 100644 --- a/manifests/cert-manager/cert-manager.yaml +++ b/manifests/cert-manager/cert-manager.yaml @@ -34,7 +34,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: group: cert-manager.io names: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: group: cert-manager.io names: @@ -537,7 +537,6 @@ spec: type: object required: - create - - passwordSecretRef properties: alias: description: |- @@ -549,17 +548,25 @@ spec: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in - `passwordSecretRef`. + `passwordSecretRef` or `password`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean + password: + description: |- + Password provides a literal password used to encrypt the JKS keystore. + Mutually exclusive with passwordSecretRef. + One of password or passwordSecretRef must provide a password with a non-zero length. + type: string passwordSecretRef: description: |- - PasswordSecretRef is a reference to a key in a Secret resource + PasswordSecretRef is a reference to a non-empty key in a Secret resource containing the password used to encrypt the JKS keystore. + Mutually exclusive with password. + One of password or passwordSecretRef must provide a password with a non-zero length. type: object required: - name @@ -582,24 +589,31 @@ spec: type: object required: - create - - passwordSecretRef properties: create: description: |- Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in - `passwordSecretRef`. + `passwordSecretRef` or in `password`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean + password: + description: |- + Password provides a literal password used to encrypt the PKCS#12 keystore. + Mutually exclusive with passwordSecretRef. + One of password or passwordSecretRef must provide a password with a non-zero length. + type: string passwordSecretRef: description: |- - PasswordSecretRef is a reference to a key in a Secret resource - containing the password used to encrypt the PKCS12 keystore. + PasswordSecretRef is a reference to a non-empty key in a Secret resource + containing the password used to encrypt the PKCS#12 keystore. + Mutually exclusive with password. + One of password or passwordSecretRef must provide a password with a non-zero length. type: object required: - name @@ -1124,7 +1138,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: group: acme.cert-manager.io names: @@ -1400,6 +1414,9 @@ spec: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, can not be used at the same time as resourceID + type: string resourceGroupName: description: resource group the DNS zone is located in type: string @@ -4331,7 +4348,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: group: cert-manager.io names: @@ -4714,6 +4731,9 @@ spec: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, can not be used at the same time as resourceID + type: string resourceGroupName: description: resource group the DNS zone is located in type: string @@ -8059,7 +8079,7 @@ metadata: app.kubernetes.io/instance: 'cert-manager' app.kubernetes.io/component: "crds" # Generated labels - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: group: cert-manager.io names: @@ -8441,6 +8461,9 @@ spec: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, can not be used at the same time as resourceID + type: string resourceGroupName: description: resource group the DNS zone is located in type: string @@ -11786,7 +11809,7 @@ metadata: app.kubernetes.io/instance: 'cert-manager' app.kubernetes.io/component: "crds" # Generated labels - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: group: acme.cert-manager.io names: @@ -12052,7 +12075,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" --- # Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 @@ -12066,7 +12089,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" --- # Source: cert-manager/templates/webhook-serviceaccount.yaml apiVersion: v1 @@ -12080,7 +12103,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" --- # Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -12092,7 +12115,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] @@ -12124,7 +12147,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["cert-manager.io"] resources: ["issuers", "issuers/status"] @@ -12150,7 +12173,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "clusterissuers/status"] @@ -12176,7 +12199,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] @@ -12211,7 +12234,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "orders/status"] @@ -12249,7 +12272,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: # Use to update challenge resource status - apiGroups: ["acme.cert-manager.io"] @@ -12309,7 +12332,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests"] @@ -12346,7 +12369,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: ["cert-manager.io"] @@ -12363,7 +12386,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -12386,7 +12409,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: @@ -12411,7 +12434,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] @@ -12433,7 +12456,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] @@ -12459,7 +12482,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] @@ -12475,7 +12498,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12495,7 +12518,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12515,7 +12538,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12535,7 +12558,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12555,7 +12578,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12575,7 +12598,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12595,7 +12618,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12615,7 +12638,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12635,7 +12658,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12655,7 +12678,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -12677,7 +12700,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: # Used for leader election by the controller # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller @@ -12703,7 +12726,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] @@ -12724,7 +12747,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: [""] resources: ["serviceaccounts/token"] @@ -12742,7 +12765,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" rules: - apiGroups: [""] resources: ["secrets"] @@ -12767,7 +12790,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -12790,7 +12813,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -12812,7 +12835,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -12833,7 +12856,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -12854,7 +12877,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: type: ClusterIP ports: @@ -12877,7 +12900,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: type: ClusterIP ports: @@ -12901,7 +12924,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: type: ClusterIP ports: @@ -12929,7 +12952,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: replicas: 1 selector: @@ -12944,7 +12967,7 @@ spec: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" annotations: prometheus.io/path: "/metrics" prometheus.io/scrape: 'true' @@ -12958,7 +12981,7 @@ spec: type: RuntimeDefault containers: - name: cert-manager-cainjector - image: "quay.io/jetstack/cert-manager-cainjector:v1.16.1" + image: "quay.io/jetstack/cert-manager-cainjector:v1.17.2" imagePullPolicy: IfNotPresent args: - --v=2 @@ -12992,7 +13015,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: replicas: 1 selector: @@ -13007,7 +13030,7 @@ spec: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" annotations: prometheus.io/path: "/metrics" prometheus.io/scrape: 'true' @@ -13021,13 +13044,13 @@ spec: type: RuntimeDefault containers: - name: cert-manager-controller - image: "quay.io/jetstack/cert-manager-controller:v1.16.1" + image: "quay.io/jetstack/cert-manager-controller:v1.17.2" imagePullPolicy: IfNotPresent args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=kube-system - - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.16.1 + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.17.2 - --max-concurrent-challenges=60 ports: - containerPort: 9402 @@ -13074,7 +13097,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" spec: replicas: 1 selector: @@ -13089,7 +13112,7 @@ spec: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" annotations: prometheus.io/path: "/metrics" prometheus.io/scrape: 'true' @@ -13103,7 +13126,7 @@ spec: type: RuntimeDefault containers: - name: cert-manager-webhook - image: "quay.io/jetstack/cert-manager-webhook:v1.16.1" + image: "quay.io/jetstack/cert-manager-webhook:v1.17.2" imagePullPolicy: IfNotPresent args: - --v=2 @@ -13187,7 +13210,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" annotations: cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: @@ -13226,7 +13249,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.16.1" + app.kubernetes.io/version: "v1.17.2" annotations: cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: diff --git a/manifests/ingress-nginx/deploy.yaml b/manifests/ingress-nginx/deploy.yaml index 38e2bb3..4196278 100644 --- a/manifests/ingress-nginx/deploy.yaml +++ b/manifests/ingress-nginx/deploy.yaml @@ -343,6 +343,8 @@ metadata: app.kubernetes.io/version: 1.12.2 name: ingress-nginx-controller namespace: ingress-nginx + annotations: + external-dns.alpha.kubernetes.io/hostname: www.homelab.local spec: externalTrafficPolicy: Local ipFamilies: